IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk-based strategy, says Gartner research director Julie Short.
"Just locking down systems is not a good approach. As social media becomes more a part of business, people find more creative ways of getting around the controls," she said. "You don't want them to do that. You want to know what they are doing."
Gartner advises CIOs to look at the risks of social media to the business as a whole, not just the IT department.
The strategy will need to recognize that certain parts of the business are more risk averse than others, she says.
For example, HR and marketing may adopt social media and collaboration tools very quickly, while finance departments will be more cautious, and may have to take regulatory issues into account.
It is also important for CIOs to understand who the audience is for social media to assess the potential risks to the business.
"The danger is adopting social collaboration, is to take a thoughtless approach, without understanding the consequences", she said.
"Propriety information may be opened up to people in the wrong part of the organization or the outside. That might create issues for audit and compliance."
But a too prescriptive approach can make it harder for employees to do their jobs effectively.
Social media will encourage businesses to adopt principles-based governance policies, that will leave more discretion to employees, rather than introducing strict controls.
"It brings in the human factor and we are not accustomed to that," she said. "How do you enforce principles, and how do you make your employees adhere to principles ? It's a completely different mind-set."
The biggest problem with governance in IT is that people have very different views what governance means, says Short.
"Many times when you are speaking with different individuals you have to clarify what you are talking about. In many instances governance equals control. But its also about decision making and being clear in the organization what decisions are being made."
This story was first published by Computer Weekly